Access Control

Understanding Access Control: Four-Part System, Categories, Policies, and Authentication

• Access control is used to restrict and allow access to resources like computers, homes, and smartphones.
• The four parts of access control are identification, authentication, authorization, and accountability.
• Identification asks "who" is requesting access, authentication verifies the requester's identity, authorization determines what the requester can access, and accountability tracks actions to individuals.
• Access control has two phases: policy definition and policy enforcement.
• Physical access controls restrict access to physical resources like buildings and parking lots, while logical access controls restrict access to computer systems and networks.
• Access control policies are a set of rules that allow a specific group of users to perform a particular set of actions on a particular set of resources.
• The four central components of access control policies are users, resources, actions, and relationships.
• There are five types of authentication: knowledge, ownership, characteristics, location, and action.
• Brute-force and dictionary attacks are common methods used by attackers to crack passwords.
• A brute-force attack involves trying every possible combination of characters, while a dictionary attack hashes words in a dictionary and compares them to the system password file.
• Examples of logical access controls for a human resources system include deciding which users can access sensitive information, monitoring user actions, and restraining or influencing user behavior.
• Access control is important for protecting resources from unauthorized use and ensuring that actions can be traced back to individuals.

Biometrics, Security Controls, and Cloud Computing

• Biometrics can be used for both identification and authentication.
• Biometric measures can be categorized as static (physiological) or dynamic (behavioral).
• Examples of static biometrics include fingerprints, palm prints, and hand geometry.
• Retina and iris scans, as well as facial recognition, are also types of biometrics.
• Behavioral biometrics include voice patterns, keystroke dynamics, and signature dynamics.
• Security controls are mechanisms that minimize the risk of attack for resources.
• Breaches in access control can result in disclosure of private information, data corruption, loss of business intelligence, and damage to equipment or systems.
• Cloud computing is the practice of using computing services delivered over a network.
• Cloud services can be provided through private, community, public, or hybrid cloud models.
• Private clouds are operated for a single organization, while community clouds provide services for several organizations.
• Public clouds are available to unrelated organizations or individuals and are managed by a third-party provider.
• Hybrid clouds contain components of more than one type of cloud and are useful for extending the limitations of more restrictive environments.

Firewalls and Their Processing Modes

• A firewall is a combination of hardware and software that filters or prevents specific information from moving between the outside and inside networks.
• The trusted network is the system of networks inside the organization that contains its information assets and is under the organization’s control.
• The untrusted network is the system of networks outside the organization over which the organization has no control.
• Firewalls prevent specific types of information from moving between two different levels of networks, such as an untrusted network like the Internet and a trusted network like the organization’s internal network.
• Firewalls fall into several major categories of processing modes: packet-filtering firewalls, application layer proxy firewalls, media access control layer firewalls, and hybrids.
• Packet-filtering firewalls examine the header information of data packets that come into a network and scan network data packets looking for compliance with the rules of the firewall’s database or violations of those rules.
• Packet-filtering firewalls inspect packets at the network layer or Layer 3 of the OSI model, which represents the seven layers of networking processes.
• Dynamic packet-filtering firewalls can react to network traffic and create or modify configuration rules to adapt.
• Static packet-filtering firewalls require the configuration rules to be manually created, sequenced, and modified within the firewall.
• Stateful packet inspection (SPI) firewalls keep track of each network connection between internal and external systems using a state table and that expedites the filtering of those communications.
• Application layer proxy firewalls are devices capable of functioning both as a firewall and an application layer proxy server, frequently installed on a dedicated computer separate from the filtering router, but commonly used in conjunction with it.
• The application firewall is also known as a proxy server because it can be configured to run special software that acts as a proxy for a service request, placed in an unsecured area of the network or in the demilitarized zone (DMZ) to expose the proxy server to higher levels of risk from less trusted networks, rather than exposing the Web server to such risks.